Enter a postcode Compare business broadband, leased lines, 4G & 5G links for your UK business WAN

Impartially compare UK broadband, fibre, 4G & 5G WAN data link markets 01704 542 420

How should software vendors prioritise vulnerability patches?

Home » News » Cybersecurity » How should software vendors prioritise vulnerability patches?
How should software vendors prioritise vulnerability patches?

A surprisingly low number of vulnerabilities are actually exploited in the real world according to a team of researchers from Cyentia, Virginia Tech and the RAND Corporation.

A white paper found that 4,183 unique security flaws were used in the real world from 2009 to 2018 -- less than half of the 9,726 discovered exploits that had been posted online.

By analysing CVSS scores, they found that the most easily exploited vulnerabilities were exploited the most. No surpise there then.

Surprisingly though, the researchers also found no relationship between publicly publishing proof-of-concept (PoC) exploit code online and the beginning of real-world attacks.

The problem of choosing which vulnerability to patch

In an ideal world, software vendors would patch every vulnerability that comes their way. This would keep their software completely watertight and safe from any chance of exploitation.

However, for most vendors patching everything is impossible as this would be a tremendously resource heavy activity that may prove unnecessary as a proportion of the exploits would never be used in an attack.

So here lies the problem. It's a balancing act between patching as much as you can over selecting vulnerabilities that are the most likely to be exploited, while risking leaving vulnerabilities open that could be exploited later.

CVSS scores explained

The Common Vulnerability Scoring System (CVSS v2) appeared in 2003 to become the standard for measuring the severity of a vulnerability.

It produces a score between 0 (lowest severity) and 10 (highest severity) based on 6 characteristics of a vulnerability, and is independent of any user environmental configurations, security controls or known exploits.

Here's a quick look at the metrics used to create a CVSS score:

  • Access Vector - Looks at how the attacker is able to access the exploit, either: locally, adjacent network or remotely exploitable. The more remote an attacker can be to attack a host, the greater the vulnerability score.

  • Access Complexity - After they've gained access, this metric measures the complexity of the attack required to exploit the vulnerability. The lower the required complexity, the higher the vulnerability score.

  • Authentication - The fewer the authentication instances required to access the exploit, the higher the vulnerability score.

  • Confidentiality Impact - The level of information revealed and it's impact on the accessed system. An increased confidentiality impact increases the vulnerability score of this metric.

  • Integrity Impact - Refers to the level of compromise to the accessed system. An increased integrity impact increases the vulnerability score.

  • Availability Impact - Considers the availability of a system during attacks. Increased availability impact increases the vulnerability score.

Findings and recommendations of the study

The white paper, Improving Vulnerability Remediation Through Better Exploit Prediction, concluded with key advice suggesting that the best combination of coverage, accuracy and efficiency was achieved by patching anything with a CVSS score of seven or more.

It also suggested that the findings from their research should inform an improvement in the CVSS scoring system as well as provide useful information to government bodies that are charged with reducing cyber threats.


Primary Topic: